Install and Configure Forefront Identity Manager 2010—Step by Step

Systems requirements:

• Windows Server 2008 x64 Standard or R2
• SQL 2008 x64 Standard or Enterprise DB Engine +Full Text Search
• SQL 2008 x64 SP2
• Windows Power Shell 1.0 or 2.0
• NET 3.5 SP1
• Internet Information Services Role (IIS)
• Exchange 2007 or 2010Management Console
• Windows SharePoint Services 3.0 SP2

FIM Client Computers:

• Windows XP SP2 or Windows 7 SP1
• Microsoft .NET Framework 3.5 SP1
• Microsoft Office Outlook 2007 SP2
• Smart Tag .NET Programmability Support (Available in Office Setup)
• Smart Tag .NET Programmability Support (Available in Office Setup>Office Tools)

Unsupported Configuration: SharePoint 2010 is NOT supported

Prerequisites:

• Create an email enabled domain service account to run the FIM Service component.
• Create a domain service account to run the FIM Synchronization Service.
• Create a FIM Service Management Agent account.
• Configure the service accounts that are running the FIM server components
• Office SharePoint 3.0 SP2 Web site installed and initialized.
• Select the correct identity for the SharePoint Application Pool.
• Implement Secure Sockets Layer (SSL) for FIM Portal.
• Configure the server running SQL.
• Configure the SQL aliases.
• Configure the SQL collation settings.
• Establish Service Principal Names (SPN) for FIM 2010.

To Create Service Account in Active Directory

Log on to Admin Server or Domain Controller and Create the following Service Accounts and Security Group

Set password and account to never expires.

Enable mailbox for FIM service account.

To enable the FIM MA to log on locally

Log on to FIM Server(s). Click Start>click Administrative Tools>Click Local Security Policy

Expand Local PoliciesUser Rights Assignment.

In the policy Allow log on locally, ensure that the FIM MA account is explicitly specified, or add it to one of the groups that is already granted access.

Open Server Manager>Local Users and Groups>Add sa-fimservice into Users group. Apply>Ok.

Important!

• service accounts should not be members of the local administrators group.
• The FIM Synchronization Service service account should not be a member of the security groups that are used to control access to FIM Synchronization Service FIMSyncAdmins
• Ensure that the Exchange Web Service and IIS default Web site are not both configured to use port 80
• Ensure that a SharePoint Default Web site is installed and initial configuration is completed.
• Verify the installation by navigating to http://localhost:80 on the server where you will install the FIM Portal
• Select the correct identity for the SharePoint Application Pool

To run the SharePoint Application Pool using an account that is located in the domain

Start Administrative Tools>SharePoint 3.0 Central Administration

Select Operations>Security Configuration> Click Service Accounts

Select Web Application Pool, and select Windows SharePoint Services Web Application. Select the SharePoint Application Pool where the FIM Portal will be installed, which by default is SharePoint – 80.

Enter the user name and password for the service account that you created in the first step.> Click OK.

To Enable Application Pool for Windows Authentication using Kerberos:

 

To learn more about Extended protection visit the KB and Enable the Application Pool to use the service account for Kerberos.

To establish the SPNs for the FIM Service: Open Command Prompt in Admin Server or a DC type the following.

setspn –S sa-fimservice/FIMPortal.microsoftguru.com.au  microsoftgurusa-fimservice

setspn –A HTTP/FIMPortal.microsoftguru.com.au microsoftgurusa-fimservice

setspn –A HTTP/FIMPortal.microsoftguru.com.au FIM

FIMPortal.microsoftguru.com.au is the Alias of FIM Server added into host header

microsoftgurusa-fimservice is the account for SharePoint App Pool uses and defined in IIS.

microsoftgurusa-fimservice service account for FIM service

if you cannot add SPN using delegation tab. user computer account and service account attribute tab and add SPN.

select “Trust this user for delegation to the specified services only”.

If the address that the clients use to contact the FIM Portal is not the same as the server FQDN, you have to establish an SPN for HTTP. That is, if you use a CNAME resource record in DNS, have a SharePoint farm, or use NLB, this address must be registered or Internet Explorer cannot use the Kerberos protocol when it contacts the portal. Run the following command:

Install .NET and IIS on FIM Server:

Install Office SharePoint Services:

To implement SSL with a certificate from an existing internal CA. Create a base-64-encoded certificate using this guide “Request and install an Web Server Certificate “ into FIM Server. Bind Web Server Certificate with Sharepoint – 80. 

 

IIS Manager>Click Sites> select Sharepoint – 80. Click Bindings, and then click Add. Select https. Select Certificate>Click OK.Remove the HTTP binding.

Click SSL Settings, and then check Require SSL.

Apply the settings.

Click Start, click Administrative Tools, and then click Sharepoint 3.0 Central Administration.Click Operations, and then click Alternate Access Mappings. Click http://FIMservername. Change http://FIMservername to https://FIMservername click OK. Click Start, Run, enter iisreset, and then click OK.

Test Office SharePoint is working on Port 443

Ensure that the service accounts used by SQL Server Database and SQL Server Agent are either domain accounts or built-in service accounts

To locate databases on different drives

1. Start Microsoft SQL Server Enterprise Manager
2. Right-click the server, and then click Properties.
3. Go to Database settings. Make the necessary adjustments on the Data and Log settings to ensure that the database files are located on a different drive than the operating system.

Configure SQL aliases: If you plan to install FIM Service or FIM Synchronization Service on a server running SQL that is using a non default port, you must create a SQL alias for Setup to be able to contact the SQL server.

To create a SQL alias for Setup to be able to contact the SQL server

1. Start the SQL Server Configuration Manager.
2. Navigate to SQL Native Client 10.0 Configuration/Aliases.
3. Create a new alias with your server information.

You do not have to do the SQL steps if you have a separate SQL server. I am doing it because this is my test environment.

Install FIM Server Components:

• FIM Synchronization Service
• FIM Service
• FIM Portal
• FIM Password Portal

To install the FIM Synchronization Service

On the FIM 2010 startup screen, click the Install Synchronization Service link. Run Setup.exe, and then follow the instructions in the installation wizard.

To install the FIM Service

On the FIM 2010 startup screen, click the Install Service and Portal link. Run Setup.exe, and then follow the instructions in the installation wizard

On the Custom Setup page, you are prompted for the applications that you want to install. In the drop-down menu next to FIM Services, click Will be installed on local hard drive.

Click Next. On the Configure Common Services page, in the Database Server box, type the name of the server that hosts SQL Server 2008. Click Next.

On the Configure Common Services – Configure mail server connection page, in Mail Server, type the name of the server hosting the Exchange Web services. Click Next.

On the Configure Common Services – Configure service certificate page, select the option to generate a new self-issued FIM certificate that is used by the Web service to validate communication from the clients, or select a certificate from the certificate store, and then click Next.

On the Configure Common Services – Configure the FIM service account page, provide the credentials for the FIM domain service account. In Service e-mail Account, ensure that you type the e-mail address for the FIM service account and not your personal e-mail address. Click Next.

On the Configure Common Services – Configure the Forefront Identity Manager synchronization connection, in the Synchronization Server box, type the name of the server that is hosting the FIM Synchronization Service component. In the FIM 2010 Management Agent Account* box, type the domainaccount of the FIM MA account. Example: microsoftgurusa-fimagent . Click Next.

In Configure FIM Service and Portal – Configure connection to the FIM Service, type the name of the server or the alias that the clients should use to contact the FIM Service. If you plan to use an alternative name (that is, a CNAME resource record in Domain Name System (DNS)), type the alternative name. If you plan to have several FIM Service servers in a Network Load Balancing (NLB) cluster, type the name of the cluster address. Click Next.

On the Configure FIM Service and Portal – Configure security changes configured by setup, to allow clients to contact the Web service interface, select Open ports 5725 and 5726 in firewall. Example: https://localhost

Click Next, then click Install.

 

Post-Installation Tasks

• Add the FIM Service service account to the FIM Synchronization Service security groups.
• Configure the FIM Service service Exchange Server mailbox.
• Turn off the SharePoint indexing.
• Turn on the Kerberos v5 protocol only.
• Install Exchange 2007 and Exchange 2010 Web Service Certificate.

Installing the latest update for FIM: Updates for FIM are posted on Microsoft Update. Ensure that you install the latest update from Microsoft Update.

1. In Windows Server 2008, click Start, and then click Windows Update.
2. Click Check for updates. Install any new updates for FIM that are available.

Add the FIM Service service account to the FIM Synchronization Service security groups

• Add the service account used by the FIM Service to the FIMSyncAdmins group. This allows the FIM Service to configure the FIM Synchronization service. If you plan to use the Password Reset feature of FIM 2010, add the service account that the FIM Service uses to the security group FIMSyncPasswordSet. So that the group membership is effective, restart the FIMService service.

Configuring the FIM Service service Exchange mailbox

The following are best practices for configuring Exchange Server for the FIM Service service account.

Configure the service account so that it can accept mail only from internal e-mail addresses. Specifically, the service account mailbox should never be able to receive mail from external SMTP servers.
In the Exchange Management Console, select the FIM Service service account sa-fimservice, right click Properties, click Mail Flow Settings, and then click Mail Delivery Restrictions. Select the Require that all senders are authenticated check box.

Configure the service account so that it rejects mail messages with sizes greater than 1 MB.
Follow the best practice of configuring the Exchange 2007 message size limits. In the Exchange Management Console, select the FIM Service service account sa-fimservice, right click Properties, click Mail Flow Settings, and then click Message Size restriction

Configure the service account so that it has a mailbox storage quota of 5 gigabytes (GB).
Follow the best practice of configuring the Exchange 2007 mailbox size limits:
In the Exchange Management Console, select the FIM Service service account sa-fimservice, right click Properties> Mailbox Settings>Storage Quota

Disabling SharePoint indexing

It is recommended that you disable SharePoint indexing. There are no documents that need to be indexed, and indexing causes many error log entries and potential performance problems with FIM 2010.

To disable SharePoint indexing

On the server that hosts the FIM 2010 Portal,  click Start>Click All Programs list, Under Administrative Tools, click SharePoint 3.0 Central Administration.

On the Central Administration page, click Operations. On the Operations page, under Global Configuration, click Timer job definitions.

On the Timer Job Definitions page, click SharePoint Services Search Refresh. On the Edit Timer Job page, click Disable.

Activating the Kerberos protocol only

We highly recommend that you turn off portal authentication that uses NTLM. The Kerberos protocol is a more secure protocol to use.

To activate Kerberos protocol only

1. Open Elevated Command Prompt. Locate C:inetpubwwwrootwssVirtualDirectories80
2. Type notepad Web.config , Locate the element <resourceManagementClient . . . />
3. Add requireKerberos=”true” so that it reads <resourceManagementClient requireKerberos=”true” . . . />

1. Save the Web.config file.
2. Run iisreset from a command prompt.

Installing the Exchange 2010 Web Service (EWS) Certificate: If your server running Exchange is using a certificate that is untrusted by the FIM Service, the certificate used by the Exchange server must be added to the local certificate store.

To install the Exchange certificate on the FIM Service server

1. Open Internet Explorer.
2. In the address bar, type https://mailserver/EWS/exchange.asmx. Mailserver is the server running Exchange that you specified when you installed the FIM 2010 component. Select Continue to this Web site.

In the Security Alert dialog box (where it reads Certificate Error), click View Certificate.

In the Certificate dialog box, click Install Certificate. On the Welcome to the Certificate Import Wizard page, click Next.

On the Certificate Store page, select Place all certificates in the following store, and then click Browse. Select the Show physical stores check box, navigate to Trusted PeopleLocal Computer, and select this store. Click OK. Click Next. Click Finish to import the certificate.

Verifying that the certificate and verify that the EWS can be reached

To install the FIM Add-ins and Extensions

Close Microsoft Office Outlook if it is running. Depending on the client computer’s architecture, on the FIM 2010 startup screen, click either the Install Add-ins and Extensions, 64 bit or the Install Add-ins and Extensions, 32 bit link.Run setup.exe, and then follow the instructions in the installation wizard.

On the Custom Setup page, you are prompted for the applications that you want to install. The component FIM Password and Authentication extension installs the GINA/Credential provider and an ActiveX® control for Internet Explorer. On a 64-bit installation, an additional component is available, FIM Portal Authentication Extensions, that installs a 32-bit ActiveX control for Internet Explorer

On the Configure FIM Add-ins and Extensions page, in FIM Portal Server address, type the name or alias of the server that hosts the FIM Portal. Decided whether you plan to contact the FIM Portal using http or https (recommended). In FIM Service service account e-mail address, type the e-mail address in SMTP format—that is, in a format similar to sa-fimservice@microsoftguru.com.au of the FIM Service service account. Do not type the alias or display name of the account.

On the Configure FIM Add-ins and Extensions page, in FIM Service Server address, type the name or alias of the server that hosts the FIM Service. If the Service and Portal components are installed on the same server, this will be the same value as on the previous page.

On the Configure FIM Add-ins and Extensions page, in the SiteLock box, type all addresses that the users can use to access the FIM Portal. For example, if users can access the server by using both FIMserver and FIMserver.microsoftguru.com.au, than enter FIMserver;fimserver.microsoftguru.com.au in this box.

If you have FIM Portal and FIM Password Reset Portal on two different servers, enter both addresses in this box. Click Install.

 

To install the FIM Add-ins and Extensions Language Pack

• Log on to a client computer with administrator permissions.
• Run Setup.exe, and then follow the instructions in the installation wizard.
• On the Microsoft Forefront Identity Manager Client Language Pack Setup page, click Next.
• On the End-User License Agreement page, click I accept the terms in the License Agreement, and then click Next.
• On the Custom Setup page, select the languages that you want to install, and then click Next.
• Click Install.
• When the installation is complete, click Finish.

 

View the FIM Add-in for Outlook and Password Reset Extensions in your selected language

The following procedures demonstrate how to verify that the FIM Add-in for Outlook is using localization.

To view the FIM Add-in for Outlook and Password Reset Extensions in your selected language on Windows XP

• Log on to a client computer with administrator permissions.
• Click Start, and then click Control Panel.
• In Control Panel, click Regional and Language Options.
• On the Options tab, under Select an item to match its preferences, or click Customize to choose your own formats, select the language that you want.
• On the Languages tab, under Language to be used in menus and dialogs, select the language that you want.
• Click the Advanced tab, and under Select a language to match the language version of the non-Unicode programs you want to use:, click the language that you want. Click Apply.
• If you are prompted by a message telling you that the required files are already installed on your hard disk, you can click Yes to use these files and skip the process of copying these files from the CD. Otherwise ,you may need the original Windows XP installation media to copy the required files.
• Click Yes to restart the Windows XP client.
• When the client restarts, log on to the computer.Open Outlook and use the functionality of the FIM Add-in for Outlook.
• To view Windows another language, repeat steps 1 through 11.

To view the FIM Add-in for Outlook and Password Reset Extensions in the language you want on Windows Vista or Windows 7

1. Log on to a client computer with administrator permissions.
2. Click Start>Click Control Panel> In Control Panel, click Regional and Language Options.

3. On the Keyboards and Languages tab, under Display language, select the language that you want to install. Click OK.> Click Apply> Click OK. Open Outlook, and use the functionality of the FIM Add-in for Outlook.

4. To view Windows another language, repeat steps 1 through 9.

Install Active Directory password reset notification component into a Domain Controller

 

 

 

To Configure FIM Active Directory Domain Services follow the screen shoots:

To Configure Profile follow the screen shots

To configure global catalog server sync follow the screenshot